Agent Security Assessment

It is tempting to think of an AI feature as advisory - it produces text, makes suggestions, drafts replies, and a human decides what to do with them. That reassurance evaporates the moment the model's output feeds another system, or the model is handed tools it can call on its own. At that point it is no longer offering advice; it is taking action - and it is an actor you do not fully control, because an attacker may be supplying its instructions through prompt injection, or it may simply make a mistake. The question stops being how clever the model is and becomes how much harm it can do when it is hijacked or mistaken. Our Agent Security Assessment examines exactly that: every way your AI system can reach out and affect the world beyond itself.

This is the third leg of the lethal trifecta - the ability to act on the outside world - and it is the leg that converts the other two from an embarrassment into a catastrophe. An injected, data-rich model that can do nothing is a contained problem (indeed, even exfiltrating data implicitly requires some ability to act, even if that action is simply displaying text on a screen); the same model wired to send email, run code, query databases, or move money is not. It is also where the market is heading fastest, as AI systems become agentic and are handed real tools, which is why this assessment matters more each year. It sits alongside our Prompt Injection and Data Disclosure assessments, which cover the other two legs.

The Model's Output Is Untrusted Input

The first principle, and the one most often missed, is that a language model's output must be treated as untrusted user input - because, by way of prompt injection, an attacker may be the one writing it. Whatever consumes that output inherits the risk, a point many AI agent developers miss. This means that all of the numerous injection vulnerabilities that our Web Application Assessment covers appear in a new guise.

If an AI's response is rendered in a browser, it is a cross-site scripting vector; if it is interpolated into a database query, an injection vector; if it is passed to a shell or an eval, a route to remote code execution; if it is used to build an outbound request, a path to server-side request forgery. An LLM bolted onto your application becomes a new, attacker-influenced source feeding all the classic sinks our Web Application Assessments and Server Security Assessments already examine - and it tends to feed them without any of the validation a developer would apply to ordinary user input. We pay particular attention to one elegant exfiltration channel that ties this leg back to the last: a model induced to emit a Markdown image or link pointing at an attacker's server, so that simply rendering the response leaks whatever sensitive data the attacker has hidden in the URL.

This family of attack vectors is the fifth-highest rated risk family for AI applications according to the OWASP 2025 Top 10 for LLMs, and addressing it is a critical element of AI security. The mitigations combine conventional web security measures against injection attacks with LLM-specific techniques like structured decoding, where logit-suppression constrains the tokens an LLM can generate to obey a formal grammar. We can advise on remediation strategies, as the novel and interdisciplinary nature of this risk makes it a particularly complex security engineering challenge.

Excessive Agency

The more capability you grant the model, the more an attacker - or an honest mistake - can accomplish through it. We assess what your AI system is actually able to do, across the three dimensions where agency tends to run to excess: the tools it can call, which are often broader than the task requires; the permissions those tools hold, which are often far wider than the model needs; and the autonomy with which it acts, taking consequential steps without a human ever confirming them. Each is dangerous on its own and far more so in combination with the injection and disclosure risks of the other two legs. And it is worth stressing that you do not need an attacker for this to bite. A model that hallucinates - confidently inventing a fact, a command, or a recipient - and is trusted to act on its own invention is its own threat. Excessive agency - the sixth-highest rated risk family in the OWASP 2025 Top 10 for LLMs - is what makes both the malicious instruction and the honest hallucination expensive, which is why constraining it is the highest-leverage thing most teams can do.

Unbounded Effects

Not every harm an agent causes is a deliberate breach; some are simply the result of letting it run without limits. We test for unbounded consumption: the agent that falls into a recursive loop and will not stop, the workflow with no ceiling on how many model calls or tool invocations it may make, and the resulting denial-of-wallet attack, in which an attacker - or a bug - runs your inference and API costs up to figures that genuinely hurt. While this may sound far-fetched, unbounded consumption of tokens is in fact rated as tenth-highest on the OWASP 2025 Top 10 for LLMs. We assess whether sensible bounds exist at all: rate and cost limits, loop and recursion detection, timeouts, and caps on the scope of any single task. These are unglamorous controls, but their absence is what enables a quiet afternoon to turn into a five-figure cloud bill.

What You Receive

You receive a clear account of how far your AI system can reach beyond itself - which sinks its output feeds and whether they are protected, which tools and permissions it holds, where it acts without human oversight, and where its consumption is unbounded - with the consequential paths demonstrated rather than asserted. Our remediation is unified by a single principle, least privilege applied to both halves of the model's reach: treat its output as untrusted and validate it at every sink, scope its tools and their permissions to the minimum the task needs, require human confirmation for actions that are irreversible or costly, and put hard bounds on consumption. Break this leg and you defang the whole trifecta - an attacker who can inject your model and reach your data achieves little if the model can neither act nor speak outward in any consequential way. Together with our Prompt Injection and Data Disclosure assessments, this completes the picture; on its own, it tells you how bad a bad day with your AI could get.